Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

But that doesn't prove anything. Could I not just as easily be at someone else's computer doing that? Once again, nothing I can do or so is going to be something irrefutable so he's either going to have to man up and just prove himself or slink off like a chickenshit. I honestly don't give a flying fuck.

You misunderstand. I don't give a flying fuck if tukang does or doesn't believe me or does or doesn't attack my computer because my point is that if the original poster wants to prove his laughable statement that he has my information to do so. Most likely he won't because he's wrong and is most likely a chickenshit the same as tukang.

What would that accomplish? So somebody else's Windows computer could be hacked.

Anyway, your Slashdot user ID number is stored in plain readable text in the cookies.sqlite file, which would be the most obvious way to determine if you'd got into the right computer. If you wanted to, I mean...

Granted, that same cookie could probably be used to access your Slashdot account, but I'm confident he'd never do that...

My point is that any evidence I can give can easily be faked. Nothing I can do or say is 100% irrefutable evidence. Hell I could be posting from my friend's computer that is running Slackware instead of Windows and we could be doing nothing but laughing at tukang. He's never going to know if that's true or not despite what I can say to the contrary.

No doubt. But the overall point was that Windows is "stupidly easy" to compromise, and if that's true it presumably wouldn't be that hard to determine that the computer at that IP wasn't even running Windows. Anyway, I still think you should have posted the IP address for the FBI or CIA or some other spook agency on the outside chance that he'd really try to break in.

Oh yeah? Stupid easy - ok. Compromise my machine then. Windows 7 64 bit, I've been lazy about patching it, haven't done so for about a month. My IP address is 24.107.113.55, and I've set my pc as the DMZ for all inbound traffic. I'll be at work for about 8 hours, I'll leave it running. Good luck.

I got into your computer and turned it off, it's inappropriate to waste energy like that. Think of the environment!

I can't tell whether this is a joke or not. THE GP's IP is not responding to ping and nmap reports the host is down (I know that these don't mean anything on its own, but deep down, I so wish parent isn't joking!)

Experience (do not install any softwares without making a diff of you registry before and after) and sensible software configuration (like no script in wmv, no script in pdf,..., no script in any kind of document except a web page with everything from the adds servers around the world blacklisted) works even better but is it less convenient.

Yet another story hinting at the huge lie that is perpetrated on the world in the form of antivirus "protection". Like I've always said, these tools do more to undermine my PC than malware ever has. A good "secure-by-default" installation and a decent understanding of responsible Internet use is all you need. Instead, most people deal with significantly slower performance, and borderline criminal subscription tactics. Protection from new and future threats has always been and will always be a fantasy.

One fundamental problem in home computer security is that vendors disagree on how to define [c2.com] "good 'secure-by-default' installation". For example, does it involve establishing a policy of trusting a third party to determine whether each program is safe and enforcing this policy with no way for the end user to override it? Apple (iOS), Microsoft (Xbox 360 and Windows Phone 7), Nintendo, and Sony seem to think so.

That's a good point. I guess all I meant by secure-by-default is an installation that separates system tasks and user tasks. So, users don't have access to change the OS, and they play wildly in their own sandbox. I know that malware can often just skirt those protections and root the system using vulns. That's why I added responsible Internet use. Despite running without any protection at all, I never get the infections that the rest of my family does.

So you define "secure-by-default" as what I perceive to be the default scenario in Ubuntu, Mac OS X, and Windows Vista/7: only a user with administrative privileges can make system-wide changes, and such users are prompted to elevate before making system-wide changes. Thank you for getting that out of the way, although some people are likely to reply about the data in their user account being ultimately more precious than the operating system. The next problem is coming up with a practical way to instill "a

> So, users don't have access to change the OS, and they play wildly in their own sandbox

That is nothing more than a dogma. For single user, personal machines I could care less about the OS being safe. What I care more about are my personal files. I hope that after 20 years or so of using a PC, i've got some value in my personal files. THAT's what i don't want compromised - THAT's what needs to be safe. Not the OS that I can download and re-install in under an hour.

Yet another story hinting at the huge lie that is perpetrated on the world in the form of antivirus "protection". Like I've always said, these tools do more to undermine my PC than malware ever has. A good "secure-by-default" installation and a decent understanding of responsible Internet use is all you need. Instead, most people deal with significantly slower performance, and borderline criminal subscription tactics. Protection from new and future threats has always been and will always be a fantasy.

Not all antivirus is created equal, MSE is very lightweight on resources, and it is free - so no 'criminal subscription tactics". And it do offer additional protection. For me it has several times flagged and cleaned malware, sometimes from quite surprising sources. You can have as safe user practices you want, but that won't completely avoid accidental exposure - malware have been found even on brand new USB memory sticks in unopened shrink wrap.

Instead of secure by default, you have run by default in all 3 major environments... Linux, Windows, OSx

Time is running out for this insane approach to doing things... the various band-aids are now in play are rapidly losing their efficacy, and none address the basic issue: code can no longer be trusted.

Fortunately. a few brave souls have ventured into this area with projects oriented at fixing the situation properly.

In the Linux area, seccomp-nurse [chdir.org] is a sandboxing framework based on SECCOMP. It is designed

Javascript really is the source of the most recent problems because it can allow entry into systems and activation of malware remotely. This is why ActiveX is also bad. Developers rush into this kind of technology thinking of the payoff but not the cost.

Really though, JS is totally unnecessary so I run noscript and I don't visit sites that have a zillion JS calls to different sites. I probably could turn antivirus off and still be okay.

JavaScript makes sense because for a lot of sites, it is either JavaScript... or Flash for most interactive content. And yes, I know that HTML 5 will be the cure-all for JavaScript/Flash but it isn't out yet and JavaScript is the best we've got

Look at these templates. Not one of these uses Javascript and they are amazing. They are functional.

They don't have the same level of backend code pushing that you see with JS topheavy sites, but they also don't have a lot of the annoying "features".

Google for example has a semi-new feature that when you press scroll down the JS captures your keypress and pushes your focus to the next search result. This is horrible and I don't see a way to disable it. When I press downarrow I want t

But those are all static pages. Of course if you are doing nothing but displaying static content it makes sense to not use JS. Slashdot used to be perfectly fine long before they made it so JS heavy as well. Apparently, though, it was way more fun to create a laggy AJAXy experience over fixing the bugs in the older discussion system.

I still wish Slashdot had not done the changes in the UI they did. The problem I'm finding with Slashdot is when I click of text or double click it, it collapses instead of selects text. That's a huge change from the way things are supposed to work.

Google for example has a semi-new feature that when you press scroll down the JS captures your keypress and pushes your focus to the next search result. This is horrible and I don't see a way to disable it.

Go into your Google settings and turn off "Instant" and the arrow keys will return to normal functionality. Why instant and the scroll thing are related, I don't know.

I was thinking about this a few days ago. I don't know much about HTML5, but if it has similar capabilities as JS and Flash, how am I going to have the equivalent of NoScript and AdBlock? I _hope_ someone is working on suitable countermeasures.

Why not have the browser have some kind of globally coordinated download queue that queues the download until someone can scan it. If it's (by URL) already been scanned, then let it download, then verify the MD5 sum of the downloaded vs scanned content. If it matches, then all is good. If not delete it. I don't define "scanned" because it could be a virus scan, or an automated install to a virtual machine, which reports back any opened ports or initiated connections for further review.

For years, I have had machines on the net that never used any antivirus. And so far, no virus on them either. Nice to have a system that is designed not to be vulnerable. (There is the occational software security error, but they usually get fixed before anyone have time to exploit them.)

If you care about security, don't bother with windows - or any system that need third-party security add-ons to work reliably. Windows has a series of design errors, in addition to the occational programming errors. Runni

Then I got flagged by Google as having malware and I was like... wtf... I don't even actively usethose sites. So, I FTP'd in and downloaded some files, there was an injection of code in all ofmy index.htm(l) and default.htm(l) files.

Now, I've had 1and1, since they came to the US. I had a plan back then that had all the goodies,ssh access to my shell for my sites, so it was easy to administer.

Well, "because of new policies" my old service I had was changed to another... like the cellcompanies moving you around on new plans. My new plan, has no ssh access.

What's worse, 1and1, refused to give me shell access so I could take care of all of thosemalware files.

So, like I said, since I don't really use those sites, I just deleted them all via FTP and told1and1 to go fuck themselves. I put up what I needed that was important (after cleaning) onan EC2 "free" instance.

Not to defend 1and1 (they have really horrible support), but isn't it a little unfair to blame them for you having bad policies that allow malware to be injected into all of your files?{snip} So nice rant, but no sympathy here, except maybe for google.

I appreciate your reply... and I'm not looking for sympathy, just vent.

And, I had something completely different written here a minute ago, thinkingI may have said something, at all... that sounded like I was blaming 1and1for anything other than sitting on their collective asses and not giving meaccess (not asking them to do it for me, just access) to my site, for 24 hoursvia ssh to clean up. You know, one simple command that says, delete index.htm*&& default.htm*, Instead of taking a half hour to g

Strangely enough, I just got my first ever warning from the safe browsing service about 10 minutes ago. Visiting a website that I go to regularly... I'm glad they caught that one site getting compromised at least as I place very little confidence in AV software nowadays.

That said, I'm not particularly thrilled with a browser feature that tells you where not to go on the internet. I'd rather be able to go there and not get infected by browser exploits. Drive-by downloads I'm not worried about. Embedded PDFs I'm not worried about. (I uninstalled the Adobe plugin. Any PDFs are downloaded rather than opened.) That pretty much just leaves the browser, Fl

1. use a more secure OS (meaning anything other than MS-Windows) a Linux distro or one of the flavors of BSD

2. keep two webbrowsers = one with plugins and goodies for websites you know are known safe like slashdot, youtube, & etc... but never use that fancy browser with the plugins for general purpose webbrowsing

3. for general purpose webbrowsing and looking in to unknown websites use a locked down and secured webbrowser that does not even have any plugins and with javascript disabled,.. and if a

That's not what the web works like. The people endangered by malware are your neighbors (particularly your male neighbor because he's watching porn all day, and we all know women don't watch porn). Your neighbors are people who hardly know what "Browser" means, have once heard about this "Microsoft Linux" thing and will buy a new PC when their current one gets slow. This is the majority of the society, and you can't fix it by adding more instructions and manuals to every piece of software.

Or you could just use chrome with click-to-play (go to about:flags and enable it) and the do not allow javascript setting and put trusted sites in exceptions list. Or you could use NoScripts for more control but i would rather not install any add-on's either. Or you could use the incognito mode as your general browsing browser due to all plugins and extensions are disabled and all your info is deleted so no chance of malicious site getting the info. I see absolutely no reason to have 2 browsers.

Google used to have a problem with malware and phishing sites being hosted on their own Google Sites. Once they plugged that hole, the malware moved to Google Spreadsheets. Because you can put HTML in Google's spreadsheets, it can be used as a free hosting service. Google hadn't anticipated this, and their abuse operation couldn't handle it.